OTP Login, 2FA & Account Security

Write a review
Five phone-based account features in one CS-Cart add-on: OTP login, magic-link sign-in, two-factor authentication, phone verification at registration/checkout, and password reset by phone. Eight SMS providers (Twilio, Vonage, Infobip and more) plus WhatsApp, three-layer rate limiting, trusted devices, and a full audit log.
$69.00

OTP Login, 2FA & Account Security add-on for CS-Cart

Five phone-based sign-in and account-security features in one add-on — enable only what your store needs

OTP Login, 2FA & Account Security gives your CS-Cart store a complete set of phone-based authentication tools. Customers can sign in with a one-time code sent to their phone instead of a password, log in with a “magic link” emailed to them, or add a one-time code as a second factor on top of their password. You can require new shoppers to verify a real phone number at registration or checkout, and let anyone reset a forgotten password by phone instead of email. Each of the five features has its own on/off switch, so you turn on only what fits your store.

Codes are 4–8 digits (default 6), randomly generated, single-use, and valid for only a few minutes. Three layers of rate limiting — per phone, per visitor, and a store-wide daily cap — keep a runaway flow from draining your SMS budget, while a CAPTCHA challenge and burned codes shut down brute-force guessing. The add-on ships with eight SMS providers out of the box — Twilio, AWS SNS, Vonage, Infobip, MSG91, Gupshup, Unifonic, and a generic Webhook — with optional WhatsApp delivery through Vonage and Infobip. Pick a provider, paste the credentials, send a test code, and you’re live.

Key Features

  • Five Features, One Add-on — OTP login, magic link, 2FA, phone verification at registration/checkout, and password reset by phone, each toggled independently
  • Eight SMS Providers — Twilio, AWS SNS, Vonage, Infobip, MSG91, Gupshup, Unifonic, and a generic Webhook for any custom integration
  • WhatsApp Delivery — send codes over WhatsApp through Vonage and Infobip in addition to SMS
  • Strong One-Time Codes — random, single-use, time-limited, and never stored as plain text, checked with a constant-time comparison
  • Three Layers of Rate Limiting — per-phone, per-visitor, and a store-wide daily SMS cap so a flood of requests can’t run up your bill
  • Brute-Force Protection — a CAPTCHA challenge kicks in after repeated failed attempts and codes are burned after too many wrong guesses
  • Trust This Device — returning customers can skip 2FA on a recognized browser for up to 60 days, with a window you choose
  • Account Takeover Protection — a phone verified to one account can’t be silently transferred during registration or a phone change, and the verified profile phone field is read-only on both browser and server
  • Native CS-Cart Look — success and error banners match CS-Cart’s standard style and phone inputs reuse the registration-page country-flag picker
  • Full Audit Log — every code send, failed verify, magic-link click, phone change, and provider error is recorded, with a recent-events panel on the admin user page
  • Send Test OTP Tool — confirm your provider is reaching real phones from the settings screen without burning your customer SMS budget

How It Works

  1. A customer chooses a phone-based option — the “Login with phone” or “Magic link” tab on the sign-in page, or a phone-based password reset
  2. The add-on validates the phone number, checks the send limits, generates a code, and asks your chosen SMS provider to deliver it (or emails a single-use link for magic-link sign-in)
  3. The customer enters the code on the verify screen; the add-on checks it, marks it as used so it can’t be replayed, and signs them in with a fresh session
  4. For two-factor sign-in, CS-Cart confirms the password first, then the add-on sends a code to the verified phone before letting the customer through — unless “Trust this device” is set for that browser
  5. At registration or checkout, the account or order proceeds normally and the customer verifies the entered phone with a code; if the provider is down or the daily cap is reached, they continue with a warning notice instead of being stuck
  6. To change a verified number, the customer uses the dedicated “Change phone number” flow, proving the new phone with a fresh code before the change is saved
  7. A daily cron job cleans up expired codes and old verification records automatically

Requirements

  • CS-Cart Store Builder or Multi-Vendor (single or multiple storefronts) 4.6.3 or higher
  • PHP 7.4 or higher (PHP 8.0+ recommended)
  • An account with a supported SMS provider (Twilio, AWS SNS, Vonage, Infobip, MSG91, Gupshup, Unifonic) or a webhook endpoint that accepts the add-on’s POST requests
  • Outbound HTTPS access from your server to your provider’s API endpoint
  • A daily cron entry for cleanup (or a periodic click on the “Cleanup” button)

Installation

  1. Go to Add-ons > Manage add-ons, click Manual installation, and upload the addon zip file
  2. Activate the addon and enter the license key
  3. Click the addon name to open its settings, pick your SMS provider, paste the credentials, and choose which of the five features to enable
  4. Use the Send Test OTP tool in settings to confirm the provider is reaching real phones before turning on customer-facing features
  5. Add a daily cron entry to call the cleanup endpoint (see the Cron row in Configuration Options)

Configuration Options

Settings are root-administrator only and are grouped into sections. Open them by clicking the addon name (or its gear icon) under Manage add-ons.

SettingDescription
FeaturesSix independent toggles: Enable OTP login, Enable magic link, Enable two-factor authentication, Enable OTP at registration, Enable OTP at checkout, and Enable password reset via OTP. All start off — turn on only what your store needs.
SMS ProviderChoose one of Twilio, AWS SNS, Vonage, Infobip, MSG91, Gupshup, Unifonic, or Webhook. Each provider exposes its own credential fields (only the selected provider’s fields are used); Vonage and Infobip add WhatsApp delivery options, and Webhook takes a URL, optional headers, an optional auth secret, and a JSON body template.
OTP Length4, 5, 6 (default), 7, or 8 digits.
OTP TypeDigits only (default) or alphanumeric.
OTP Expiry (minutes)Default 5. After this many minutes the code is invalid and a new one must be requested.
Max Attempts per OTPDefault 5. After this many wrong entries the code is burned.
Resend Cooldown (seconds)Default 60. How long a customer must wait between code requests for the same phone.
Default Country CodeFor example +1. Used when a phone number is entered without a country code.
Phone Format ValidationHow strict the phone-input check is.
Require Phone at Registration / CheckoutForce a phone field on the registration form or on guest checkout (separate from OTP verification).
Trusted DevicesEnable “Trust this device” after a successful 2FA and set the Trust Duration (7, 14, 30, or 60 days).
Rate LimitsRate Limit per Phone (default 5/hour), Rate Limit per IP (default 10/hour), and a Daily SMS Cap per store (default 500).
Test ModeWhen on, the addon accepts a fixed code (Test Mode Code, default 123456) instead of sending an SMS. For development servers only; an admin banner reminds you it’s on.
TemplatesSMS Template and WhatsApp Template message text; the placeholder {{code}} is replaced with the one-time code.
Admin ToolsSend Test OTP delivers a code to a phone you specify (root admin only, capped at 5 sends per 24 hours per admin).
CronAdd a daily cron entry to run the cleanup, with an optional cron secret so an unattended scheduler can run without an admin session.

Support

For questions, issues, or feature requests, contact us at www.cartmodules.com.

Billing Type:
Lifetime
Compatible versions:
  • 4.10.1
  • 4.10.2
  • 4.10.3
  • 4.10.4
  • 4.10.4.SP1
  • 4.11.1
  • 4.11.2
  • 4.11.3
  • 4.11.4
  • 4.11.5
  • 4.12.1
  • 4.12.2
  • 4.13.1
  • 4.13.2
  • 4.13.2.SP1
  • 4.13.2.SP2
  • 4.13.3
  • 4.14.1
  • 4.14.1.SP1
  • 4.14.2
  • 4.14.2.SP1
  • 4.14.3
  • 4.14.3.SP1
  • 4.15.1
  • 4.15.1.SP1
  • 4.15.1.SP2
  • 4.15.1.SP3
  • 4.15.1.SP4
  • 4.15.2
  • 4.16.1
  • 4.16.2
  • 4.17.1
  • 4.17.2
  • 4.17.2.SP1
  • 4.6.3
  • 4.7.1
  • 4.7.2
  • 4.7.3
  • 4.7.4
  • 4.8.1
  • 4.8.2
  • 4.9.1
  • 4.9.2
  • 4.9.3
Localizations:
  • English
Payment type:
One-time payment
Product:
  • Multi-Vendor
  • Multi-Vendor Plus
  • Multi-Vendor Ultimate
  • Store Builder
  • Store Builder Plus
  • Store Builder Ultimate

Addons features

Development:
  • Backend
Recipient:
  • For customer
  • For owner
  • For vendor
Server Update:

Shared features

External ID:
CartModules-Afterpay
Free:
License number prefix:
CARTMODULES
On market:
RTL Support:

No reviews found

FAQ Block